About Joel Patrick Llosa

I graduated from Silliman University in Dumaguete City with a degree in Bachelor of Science in Business Computer Application. I have contributed to many Java related projects at University of Southampton (iSolutions), Predictive Technologies, LLC., Confluence Service, North Concepts, Inc., NEC Telecom Software Philippines, Inc., and NEC Technologies Philippines, Inc. You can also find me in Upwork freelancing as a Java Developer.

Spring Boot Security Example

Hi Spring Boot fans. Today, we will follow how Nick added Spring Boot Security to his web application. We will see how Nick protects his resources by adding Spring Boot Security. Spring Security provides a wide-range of security services services for Java EE-based enterprise software applications. The two main areas of application security that Spring Security targets are “authentication and “authorization or access-control”.

1. Tools

2. Assumptions

Nick knows his way around Eclipse. He is familiar with Maven and has done a fair amount of coding in his lifetime. His project has been created using Eclipse Mars so all instructions are based on this IDE.

3. Project Object Model

The first thing he did was to add Spring Boot Security to the classpath.

The above code shows the endpoints of Nick’s web app. He will be securing the /enigma endpoint because there are top secret messages in that endpoint. Only authorized personnel are allowed to access it. Nick ran the application (Run As -> Java Application) and accessed it on localhost. This is what he saw:

localhost:8080

5. Secured Endpoint

To prevent unauthorized users from accessing the /enigma endpoint, Nick created the code below. The code below forces the user to sign in when hitting /enigma, otherwise, the said endpoint can be accessed by anybody.

The above code is the meat of Nick’s web security. His class is annotated with @EnableWebSecurity to enable Spring Boot Security’s web security support and provide the Spring MVC integration. He also extended WebSecurityConfigurerAdapter and has overriden some of its methods to customize the web security configuration.

The configure method defines which URL paths are secured and which are not. The above code secures the /enigma endpoint as it was his task was to do so. All other paths do not need any authentication.

Nick provided a custom login page as specified by .loginPage("/login"). Recall that this was mapped in ControllerConfig.java. So users accessing /engima will have to login before they are able to view the web page.

The userDetailsService method sets up an in-memory user store with a single user. The username is 007 and the password is JamesBond with a role of “USER” (authorization or access-control). The method withDefaultPasswordEncoder is unsafe for production use because the password is compiled into the source code and is then included in memory at the time of creation. Which means it can be recovered as a plain text password making it unsafe. Nick is using it because this is just a fantasy example. For production purposes, ensure the password is encoded externally.

Below is how the login screen looks like.

Login Form

6. Authenticated Access

If the user supplied the correct username and password, he shall see the top secret message as shown below.

/engima endpoint

7. Spring Boot Security Summary

Let’s summarize what Nick did in order to add Spring Boot Security to his web app. To secure his web app, he added Spring Boot Security to the classpath. Once it was in the classpath, Spring Boot Security was enabled by default. He then customized the security by extending WebSecurityConfigurerAdapter and added his own configure and userDetailsService implementation. That’s all there is to it and Nick is a happy camper.

Newsletter

Join them now to gain exclusive access to the latest news in the Java world, as well as insights about Android, Scala, Groovy and other related technologies.

Email address:

Receive Java & Developer job alerts in your Area

Leave this field empty if you're human:

Join Us

With 1,240,600 monthly unique visitors and over 500 authors we are placed among the top Java related sites around. Constantly being on the lookout for partners; we encourage you to join us. So If you have a blog with unique and interesting content then you should check out our JCG partners program. You can also be a guest writer for Java Code Geeks and hone your writing skills!

Disclaimer

All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners. Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries. Examples Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.